Skip to content

store_location_for should not store omniauth redirects #5813

Description

@jclusso

When a user is not active_for_authentication?, the Warden callback triggers warden.logout(scope). If the user was signing in via Google with OmniAuth, store_location_for may have already persisted a redirect, which can overwrite the intended redirect path.

This can also result in a CSRF error on the next sign-in attempt, since the app tries to follow that stale redirect.

I ran into this due to additional Warden hooks that also call logout. I’m not sure all the scenarios where this applies, but I’m happy to open a PR if there’s a recommended fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions